PROFESSIONAL & FINANCIAL RISKS

Watch your step: the business governance and cyber crossover

Data security is increasingly interconnected with C-suite liability.

Business interruption (BI) cover is becoming a critical element of cyber risk management.

Companies that are growing require continual oversight and attention.

Listed companies’ share price fluctuations can involve D&O exposures.

With data vulnerability an omnipresent threat and accountability shifting to board level, awareness of how cyber and D&O insurance can intersect is critically important.

Two key topics that are getting a lot of attention in every tender, report and client contact at present concern the interconnection of directors and officers’ liability (D&O) risk and cyber or technology risk.

D&O insurance renewals require particular care and preparation because the market challenges are significant. The impact of the banking royal commission has been felt across all sectors, and there has been unprecedented scrutiny of corporate culture and governance.

What’s interesting is the apparent connection between D&O insurance and cyber insurance, because data breaches carry significant trust and reputational risks. If a network security, procedural or control weakness is exposed, this will have a significant impact on a company’s ability to maintain shareholder relations, key trading partners and business confidence.

Regulatory scrutiny of a data breach by the Office of the Australian Information Commissioner (OAIC) is increasingly likely and, when an earnings review follows, this may attract interest from the Australian Stock Exchange and Australian Securities Investments Commission.

Cyber attacks have become ever more sophisticated and when data is corrupted the breach response may be costly and complex to resolve, which increases the risk. Business interruption (BI) cover in cyber policies is increasingly recognised as a critical element of the overall cyber risk management plan.

"What’s interesting is the connection between D&O insurance and cyber insurance that we’re starting to see now, because data breaches carry significant trust and reputational risk."

Increased penalties for data breaches

The LandMark White’s data breach earlier this year illustrates the need for effective D&O and cyber cover. At the end of January approximately 100,000 of the property valuation consultancy’s clients' account details, including personal information and property values, were posted to a dark web forum by an unknown third party.

LandMark White’s clients, which included the major banks, suspended the company and share trading activity was frozen. When the company resumed trading the share price dropped 10.6% to a four-year low. Along with the urgent need to respond to the data breach, the board was facing revenue loss and both regulatory and shareholder risk.

D&O exposure can also spike along the path of business growth. Recently Gallagher has been working with enterprises growing fast year on year; some doubling in size, and others increasing as much as tenfold in their scale, activities and investor base.

Some of these entities are small cap stocks that have recently listed because they are poised to make a run – which also means that their D&O, cyber and technology insurances need to be adjusted and continually updated, requiring a different approach and focus than a larger more established business.

And when enterprises go on a run with performance that is not always positive, previous highs may give way to a heavy correction, and that’s when D&O risk is most pronounced. These considerations apply beyond listed companies: to any enterprise looking to grow, restructure, enter new territories, release new products, adopt new distribution channels or raise money through a funding arrangement. Any changes from what they were doing previously needs more attention because the current D&O market is challenging.

On the plus side, insurers are learning more about cyber risks and insureds’ exposures, and are enhancing their cover. Policy terms appear to be constantly evolving, and brokers are key to negotiating the optimal available coverage.

"On the plus side, insurers are learning more about cyber risks and insureds’ exposures, and are enhancing their cover."

A robust cyber risk mitigation strategy is not limited to internal review. Essentially it involves applying the same due diligence to the network security, controls and processes of contractors and external service providers. When clients improve their cyber security (and can demonstrate this), they can obtain better results in the insurance market. That said, companies may have the best data security and network protection, but their vulnerabilities can lie in the human factor.

Gallagher connects clients with risk management tools and services that offer cyber risk assessments and protection strategies. This includes human error management and training, auditing and due diligence, because if we can help clients work out where their exposures and vulnerabilities are, it reduces their risk.

More professional & financial risks insight

Class actions and cyber risk impacting role of directors

Gallagher’s National Head, Professional & Financial Risks, Michael Herron, discusses the changing role of directors and officers of both listed and unlisted companies as they face up to challenges around shareholder class actions and cyber breaches.